Firefly III 的 Traefik 路由

Traefic Routing for FireflyIII

问候堆栈溢出,

我有一个 RespberryPi4B,我在上面安装了 Ubuntu 20。 (Linux ubuntu 5.4.0-1034-raspi aarch64 - Ubuntu 20.04.1 LTS)

我想在这个 Pi 上安装几个仅供本地使用的应用程序。 为了能够公开多个应用程序,我使用 Traefik 作为代理。 为了更轻松地部署应用程序,我使用 Docker 和 Docker-Compose

已经启动并 运行ning 我有一个 Nextcloud 实例,它工作得很好。 现在我想将 FireflyIII 添加为应用程序,但路由不符合,并向我打招呼“Bad Gateway”。

这是我的

以下 docker-compose.yml 对我的 Nextcloud 非常有效:

version: '3.3'

services:
  nextcloud-db:
    image: mariadb
    container_name: nextcloud-db
    command: --transaction-isolation=READ-COMMITTED --log-bin=ROW
    restart: unless-stopped
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /etc/timezone:/etc/timezone:ro
      - /opt/containers/nextcloud/database:/var/lib/mysql
    environment:
      - MYSQL_ROOT_PASSWORD={supersecret}
      - MYSQL_PASSWORD={supersecret}
      - MYSQL_DATABASE=nextcloud
      - MYSQL_USER=nextcloudusr
      - MYSQL_INITDB_SKIP_TZINFO=1
    networks:
      - default

  nextcloud-redis:
    image: redis:alpine
    container_name: nextcloud-redis
    hostname: nextcloud-redis
    networks:
        - default
    restart: unless-stopped
    command: redis-server --requirepass {supersecret}

  nextcloud-app:
    image: nextcloud
    container_name: nextcloud-app
    restart: unless-stopped
    depends_on:
      - nextcloud-db
      - nextcloud-redis
    environment:
        REDIS_HOST: nextcloud-redis
        REDIS_HOST_PASSWORD: {supersecret}
    volumes:
      - /opt/containers/nextcloud/app:/var/www/html
      - /opt/containers/nextcloud/daten:/var/www/html/data

    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.nextcloud-app.entrypoints=http"
      - "traefik.http.routers.nextcloud-app.rule=Host(`nextcloud.mydomain.com`)"
      - "traefik.http.middlewares.nextcloud-app-https-redirect.redirectscheme.scheme=https"
      - "traefik.http.routers.nextcloud-app.middlewares=nextcloud-app-https-redirect"
      - "traefik.http.routers.nextcloud-app-secure.entrypoints=https"
      - "traefik.http.routers.nextcloud-app-secure.rule=Host(`nextcloud.mydomain.com`)"
      - "traefik.http.routers.nextcloud-app-secure.tls=true"
      - "traefik.http.routers.nextcloud-app-secure.tls.certresolver=http"
      - "traefik.http.routers.nextcloud-app-secure.service=nextcloud-app"
      - "traefik.http.services.nextcloud-app.loadbalancer.server.port=80"
      - "traefik.docker.network=proxy"
      - "traefik.http.routers.nextcloud-app-secure.middlewares=nextcloud-dav,secHeaders@file"
      - "traefik.http.middlewares.nextcloud-dav.replacepathregex.regex=^/.well-known/ca(l|rd)dav"
      - "traefik.http.middlewares.nextcloud-dav.replacepathregex.replacement=/remote.php/dav/"
    networks:
      - proxy
      - default

networks:
  proxy:
    external: true

虽然知道此配置和这些 traefik 标签有效,但我假设以下 docker-compose.yml,现在适用于 FireflyIII 也适用。虽然容器在没有任何可见问题的情况下旋转 - 我可以在容器日志中看到,应用程序连接到数据库并准备好一切 - 无法通过浏览器访问 - 我得到了一个错误的网关。

这是我的FireflyIII的docker-compose.yml

version: '3.3'

services:
  fireflydb:
    image: mariadb
    container_name: fireflydb
    environment:
      - MYSQL_RANDOM_ROOT_PASSWORD=yes
      - MYSQL_USER=fireflyuser
      - MYSQL_PASSWORD={supersecret}
      - MYSQL_DATABASE=fireflydb
    volumes:
      - firefly_db:/var/lib/mysql
    networks:
      - default

  firefly:
    image: jc5x/firefly-iii:latest
    container_name: firefly
    volumes:
      - firefly_upload:/var/www/html/storage/upload
    depends_on:
      - fireflydb
    env_file: .env
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.firefly-app.entrypoints=http"
      - "traefik.http.routers.firefly-app.rule=Host(`firefly.mydomain.com`)"
      - "traefik.http.middlewares.firefly-app-https-redirect.redirectscheme.scheme=https"
      - "traefik.http.routers.firefly-app.middlewares=firefly-app-https-redirect"
      - "traefik.http.routers.firefly-app-secure.entrypoints=https"
      - "traefik.http.routers.firefly-app-secure.rule=Host(`firefly.mydomain.com`)"
      - "traefik.http.routers.firefly-app-secure.tls=true"
      - "traefik.http.routers.firefly-app-secure.tls.certresolver=http"
      - "traefik.http.routers.firefly-app-secure.service=firefly-app"
      - "traefik.http.services.firefly-app.loadbalancer.server.port=80"
      - "traefik.docker.network=proxy"
    networks:
      - proxy
      - default

volumes:
   firefly_upload:
   firefly_db:

networks:
   proxy:
      external: true

Traefik 标签之间的唯一区别是,我不需要 firefly 的 replacepathregex 标签,并且我更改了主机和应用程序名称:

nextcloud.mydomain.com -> firefly.mydomain.com nextcloud-app/nextcloud-app-secure -> firefly-app/firefly-app-secure

我只是还不明白,为什么“相同”的配置会有不同的表现。 Traefik 容器日志不会抛出任何错误。

关于 SSL 证书的注意事项,因为应用程序在我的本地网络中 运行,并且我编辑我的本地主机文件以通过浏览器访问该应用程序,SSL 更新是不可能的,我知道那个。我目前通过在不同的服务器上手动更新并将证书复制到我的 Pi 来解决它。又快又脏,但现在可以用了。

为了完整起见,这是我的 Traefik 的 traefik.yml、docker-compose.yml 和 dynamic_conf.yml:

traefik.yml:

api:
  dashboard: true

entryPoints:
  http:
    address: ":80"
  https:
    address: ":443"

providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false
  file:
    filename: "/dynamic_conf.yml"

certificatesResolvers:
  http:
    acme:
      email: mymail@mydomain.com
      storage: acme.json
      httpChallenge:
        entryPoint: http

docker-compose.yml:

version: '3'

services:
  traefik:
    image: traefik:latest
    container_name: traefik
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    networks:
      - proxy
    ports:
      - 80:80
      - 443:443
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./data/traefik.yml:/traefik.yml:ro
      - ./data/acme.json:/acme.json
      - ./data/dynamic_conf.yml:/dynamic_conf.yml
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.entrypoints=http"
      - "traefik.http.routers.traefik.rule=Host(`traefik.mydomain.com`)"
      - "traefik.http.middlewares.traefik-auth.basicauth.users=user:secret"
      - "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
      - "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
      - "traefik.http.routers.traefik-secure.entrypoints=https"
      - "traefik.http.routers.traefik-secure.rule=Host(`traefik.mydomain.com`)"
      - "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
      - "traefik.http.routers.traefik-secure.tls=true"
      - "traefik.http.routers.traefik-secure.tls.certresolver=http"
      - "traefik.http.routers.traefik-secure.service=api@internal"
      - "providers.file.filename=/dynamic_conf.yml"

networks:
  proxy:
    external: true

dynamic_conf.yml

tls:
  options:
    default:
      minVersion: VersionTLS12

      cipherSuites:
        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
        - TLS_AES_128_GCM_SHA256
        - TLS_AES_256_GCM_SHA384
        - TLS_CHACHA20_POLY1305_SHA256

      curvePreferences:
        - CurveP521
        - CurveP384

      sniStrict: true

http:
  middlewares:
    secHeaders:
      headers:
        browserXssFilter: true
        contentTypeNosniff: true
        frameDeny: true
        sslRedirect: true
        #HSTS Configuration
        stsIncludeSubdomains: true
        stsPreload: true
        stsSeconds: 31536000
        customFrameOptionsValue: "SAMEORIGIN"

我唯一能想到的,可能是内部端口的问题。 但我对 traefik 和 docker 还不够了解,可以肯定地说。

我感谢任何改进的提示和建议。

乍一看,我建议将 port 更改为 8080:

version: '3.3'

services:
# [...]
  firefly:
    labels:
# 
      - "traefik.http.services.firefly-app.loadbalancer.server.port=8080"
# [...]

firefly-iii-Image you're using is based on their BaseImageREADME.md 表示:

Basically, I use the 7.4 Apache image with some minor changes.

一个变化是:

Switch to port 8080